Is it secure to pass login credentials as plain text in an HTTPS URL?
https://domain.com/ClientLogin?Email=jondoe@gmail.com&Passwd=123password
Update: So let’s say this is not being entered in the browser, but being generated programmatically and being requested with a POST request (not a GET request). Is it secure?
Solution:
It is not secure to use this type of URL in a GET request (i.e. typing the URL into the browser) as the requested URL will be saved in browser history and server logs.
However, it is secure to submit as a POST request to https://domain.com/ClientLogin (i.e. submitting a form) while passing the credentials as part of the POST body, since the POST body is encrypted and sent after making a connection to the requested URL. So, the form action would be https://domain.com/ClientLogin and the form field values will be passed in the POST body.
Here are some links that helped me understand this better:
Answer to StackOverflow Question: Are https URLs encrypted?
Straightforward Explanation of SSL and HTTPS
No. They won’t be seen in transit, but they will remain in:
If it’s at all possible, use POST over HTTPS on authentication, and then set a “authenticated” cookie, or use HTTP Digest Authorization over HTTPS, or even HTTP Basic auth over HTTPS – but whatever you do, don’t put secret/sensitive data in the URL.
Edit: when I wrote “use POST”, I meant “send sensitive data over HTTPS in POST fields”. Sending a
POST http://example.com/ClientLogin?password=hunter2is every bit as wrong as sending it with GET.TL;DR: Don’t put passwords in the URL. Ever.